Skip to content

Improve removal of storage-encryption-secret finalizer #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

eberlep
Copy link
Collaborator

@eberlep eberlep commented Jul 4, 2025

When we create the storage-encryption-key secret , we add a finalizer. Since this finalizer would block the deletion of the whole namespace if it wasn't removed, we always try to remove that finalizer, even if the enableRandomStorageEncryptionSecretFlg is currently set to false. We do this because it might have been set to true in the past, which would mean there might be existing secrets with finalizers which would, again, block the removal of the namespace.

Now the problem is that we do not take a closer look at the err when fetching the secret to remove it's finalizer. If the secret is not found, there is no corresponding finalizer and we could continue the removal of the namespace without error. But since we don't check for the actual error content, we show an error message when deleting any postgres database that does not have that storage-encryption-key (since we cannot fetch the non-existent secret to remove the non-existent finalizer).

To solve this, we simply check for IsNotFound and carry on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant